yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #14493
[Bug 1321378] [NEW] keystone user-role-* operations fail when user no longer exists in underlying catalog
Public bug reported:
When using an external user catalog (in our case, AD), if the user is
removed on the backend catalog, the user-role-* keystone CLI commands no
longer work, because keystone cannot look up the user.
The specific situation is a user had been granted roles on some
projects, but then that uesr left the company and was removed from the
backend directory. When going back to remove the roles assigned to that
user, the keystone commands fail.
It may still be possible to do these operations directly through the
API, I didn't check that. But ultimately was able to work around it by
directly removing the entries in the keystone user_project_metadata
table.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1321378
Title:
keystone user-role-* operations fail when user no longer exists in
underlying catalog
Status in OpenStack Identity (Keystone):
New
Bug description:
When using an external user catalog (in our case, AD), if the user is
removed on the backend catalog, the user-role-* keystone CLI commands
no longer work, because keystone cannot look up the user.
The specific situation is a user had been granted roles on some
projects, but then that uesr left the company and was removed from the
backend directory. When going back to remove the roles assigned to
that user, the keystone commands fail.
It may still be possible to do these operations directly through the
API, I didn't check that. But ultimately was able to work around it
by directly removing the entries in the keystone user_project_metadata
table.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1321378/+subscriptions
Follow ups
References